Communication monitoring device and communication monitoring method

ABSTRACT

In order to monitor communication by a frame column performed among electronic controllers, a communication monitoring device determines some or all of fields configuring a frame as an object section, extracts the object section as an attention section from the frame received from an in-vehicle network, and verifies validity of the received frame based on the attention section.

INCORPORATION BY REFERENCE

The present application claims priority under 35 U.S.C. § 119 toJapanese Patent Application No. 2021-206101 filed on Dec. 20, 2021 andJapanese Patent Application No. 2022-133179 filed on Aug. 24, 2022. Thecontent of the applications is incorporated herein by reference in itsentirety.

BACKGROUND OF THE INVENTION Field of the Invention

The present invention relates to a communication monitoring device and acommunication monitoring method that monitor communication via anin-vehicle network.

Description of the Related Art

International Publication No. WO 2018/008452 describes an impropercontrol suppressing method in a network system provided with a pluralityof electronic control units which exchange a plurality of frames via acommunication channel. In the improper control suppressing method, acontrol frame which instructs predetermined control to a controlledobject and a state frame including information regarding a state of thecontrolled object are successively received from the communicationchannel. Then, on the basis of a set of the state frames received withina predetermined period preceding the time of reception of the receivedcontrol frame, whether or not to suppress the predetermined controlbased on the received control frame is determined.

However, in the conventional improper control suppressing methoddescribed above, since control information and state information of theframes communicated for the controlled object are examined, processingloads for improper control detection become heavier together with thenumber of the controlled objects to be the objects of processingimpropriety detection. For example, when improper control in entryprocessing when a person is boarding a vehicle is to be prevented, theimproper control needs to be detected with various ECUs including a keycommunication ECU which controls communication with a smart key, a keyauthentication ECU (immobilizer) and a door lock control ECU or the likeas the controlled objects.

On the other hand, as vehicle functions are diversified, acceleration ofrouting processing in an in-vehicle network is also demanded, and theprocessing needs to be simplified while maintaining high securityperformance such as detection of a forged frame.

In addition, as in a conventional technology described above, in a caseof fixedly using a specific ECU as the controlled object of the impropercontrol detection, once the controlled object is specified by a thirdperson, the improper control detection could be invalidated by amalicious person.

From the above-described background, an object of the present inventionis, regarding detection of improper communication in communication viaan in-vehicle network performed among a plurality of electroniccontrollers, to reduce the processing loads without lowering a detectionprobability of the improper communication.

The detection of the improper communication in the in-vehicle networkeffectively prevents occurrence of theft by controlling a communicationattack made at the time of vehicle theft for example and can contributeto achievement of SDGs through realization of secure, safe andsustainable motorized society (SDGs 11.2 or the like).

SUMMARY OF THE INVENTION

According to one mode of the present invention aspect, a communicationmonitoring device monitors communication via an in-vehicle networkperformed among a plurality of electronic controllers, the communicationis configured by a column of one or more frames, and the communicationmonitoring device includes: an object determination unit configured todetermine some or all of fields configuring the frame as an objectsection; a reception unit configured to receive the frame propagatedthrough the in-vehicle network; an extraction unit configured to extractthe object section as an attention section from a reception frame whichis the frame received by the reception unit; and a verification unitconfigured to verify validity of the reception frame based on theextracted attention section.

According to another mode of the present invention aspect, the objectdetermination unit divides the frame used for the communication into aplurality of field groups according to one division rule, and determinesat least one of the field groups as the object section.

According to a further mode of the present invention aspect, theextraction unit counts a usage count for which each of the field groupsis used for extraction of the attention section, and the objectdetermination unit determines, when a difference between a maximum valueand a minimum value of the usage counts among the field groups is afirst predetermined value or larger, at least one new object sectionfrom the plurality of divided field groups excluding the field group theusage count of which is the maximum value.

According to a still further mode of the present invention aspect, theobject determination unit determines a new object section from all thedivided field groups, when the difference between the maximum value andthe minimum value of the usage counts among the field groups is smallerthan a second predetermined value.

According to a yet further mode of the present invention aspect, theextraction unit counts a usage count for which each of the field groupsis used for extraction of the attention section, and the objectdetermination unit changes the division rule, newly divides the frameinto a plurality of field groups according to the changed division rule,and determines at least one of the plurality of newly divided fieldgroups as the object section, when the difference between the maximumvalue and the minimum value of the usage counts among the field groupsis smaller than a third predetermined value.

According to a yet still further mode of the present invention aspect,the extraction unit initializes, when the object determination unitnewly divides the frame into a plurality of field groups according tothe changed division rule, the usage counts of all the newly dividedfield groups to 0.

According to a yet still further mode of the present invention aspect,the object determination unit increases the number of the field groupsto be determined as the object section from the plurality of dividedfield groups, when the verification unit determines that at least one ofthe attention sections extracted by the extraction unit from each of thereception frames is not proper.

According to a yet still further mode of the present invention aspect,the object determination unit determines all of the plurality of dividedfield groups as the object section, when the verification unitdetermines that at least one of the attention sections extracted by theextraction unit from each of the reception frames is not proper.

According to a yet still further mode of the present invention aspect,the verification unit sets a monitoring period of a predetermined timelength, and the reception unit receives the frame propagated through thein-vehicle network in the monitoring period.

According to a yet still further mode of the present invention aspect,the object determination unit randomly determines at least one of thefield groups as the object section every time the monitoring periodstarts.

According to a yet still further mode of the present invention aspect,the verification unit verifies the validity for a predetermined numberof the reception frames in each monitoring period, and increases thetime length of the monitoring period when one of the reception frames isdetermined as not being proper.

According to a yet still further mode of the present invention aspect,the verification unit increases the predetermined number when one of theextracted reception frames is determined as not being proper.

According to a yet still further mode of the present invention aspect,the verification unit repeatedly sets the monitoring periods with asuspension period in-between, and irregularly changes the time length ofthe suspension period within a predetermined range.

The object determination unit determines a different field or a set offields as the object section for each of a plurality of sets of thereception frames for each monitoring period.

A yet still further mode of the present invention aspect is acommunication monitoring method conducted by a computer of acommunication monitoring device which monitors communication via anin-vehicle network performed among a plurality of electroniccontrollers, the communication is configured by a column of one or moreframes, and the communication monitoring method includes: a step ofdetermining some or all of fields configuring the frame as an objectsection; a step of repeatedly receiving the frame propagated through thein-vehicle network; a step of extracting the object section as anattention section from a reception frame which is the frame received inthe receiving step; and a step of verifying validity of the receptionframe based on the extracted attention section.

According to the present invention aspect, regarding detection ofimproper communication in communication via an in-vehicle networkperformed among a plurality of electronic controllers, the processingloads can be reduced without lowering a detection probability of theimproper communication.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a vehicle including a communicationmonitoring device according to one embodiment of the present invention;

FIG. 2 is a diagram illustrating a configuration of the communicationmonitoring device;

FIG. 3 is a diagram for explaining verification of frame validity in thecommunication monitoring device;

FIG. 4 is diagram for explaining verification of frame validity in asecond modification; and

FIG. 5 is a flowchart illustrating a procedure of an operation of thecommunication monitoring device.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Hereinafter, a control system of a vehicle including a communicationmonitoring device according to one embodiment of the present inventionwill be described with reference to the drawings.

FIG. 1 is a diagram illustrating a control system 1 of a vehicle.

The control system 1 includes a central ECU 2 which performs overallcontrol of the vehicle and information processing. Hereinafter, thevehicle loaded with the control system 1 is referred to as a presentvehicle. The central ECU 2 is connected to communication lines 4 a, 4 band 4 c, and achieves a function of a gateway which manages exchange ofcommunication data among the communication lines. In addition, thecentral ECU 2 is connected with a wireless device (not illustrated)based on a communication standard of a mobile communication system, andexecutes OTA (Over The Air) management. The OTA management includescontrol of downloading an update program of an in-vehicle deviceprovided in the present vehicle from a server outside the vehicle andapplying the update program to the in-vehicle device.

To the communication lines 4 a, 4 b and 4 c, a first zone ECU 20 a, asecond zone ECU 20 b, and a third zone ECU 20 c are connectedrespectively. ECUs 30 a, 30 b and 30 c are connected to the first zoneECU 20 a, and ECUs 30 d, 30 e and 30 f are connected to the second zoneECU 20 b. In addition, ECUs 30 g, 30 h and 30 i are connected to thethird zone ECU 20 c.

Hereinafter, the first zone ECU 20 a, the second zone ECU 20 b and thethird zone ECU 20 c are also referred to as zone ECUs 20 collectively,and the ECUs 30 a, 30 b, 30 c, 30 d, 30 e, 30 f, 30 g, 30 h and 30 i arealso referred to as ECUs 30 collectively.

The ECUs 30 may include an ECU which controls operations of variousdevices and sensors provided in the present vehicle, such as an MPU (MapPositioning Unit), an MVC-ECU (MVC; Multi View Camera), a PKS-ECU (PKS;Parking Support), and/or an ADAS-ECU (ADAS; Advanced Driver-AssistanceSystem) or the like. Such devices and sensors may include a motor fortraveling which makes the present vehicle travel, a steering operationdevice such as an accelerator or a brake, a VSA device (VSA; VehicleStability Assist), a battery, a lamp body such as a head lamp, a windowmotor which drives a door window, an actuator which drives a door lockmechanism, a door lock sensor, a door opening/closing sensor, atemperature sensor, a vehicle outside camera, and a vehicle compartmentcamera or the like.

To each zone ECU 20, the plurality of ECUs 30 disposed in a same sectionof a vehicle body space of the present vehicle or the plurality of ECUs30 which control the operations of the device and the sensor disposed inthe same section are connected.

To the central ECU 2, other controllers and apparatuses may be connectedin addition to the zone ECUs 20. Such controllers and apparatuses mayinclude an ICB (Infotainment Control Box), a speaker, a microphone, ameter panel, a steering switch, a GNSS sensor and a touch panel or thelike.

The communication lines 4 a, 4 b and 4 c are configured by CAN buseswhich perform communication based on a CAN communication standard forexample, in the present embodiment. Hereinafter, the communication lines4 a, 4 b and 4 c are collectively referred to as communication lines 4.Here, the communication lines 4 correspond to an in-vehicle network inthe present disclosure. In addition, the zone ECUs 20 connected to thecommunication lines 4 correspond to a plurality of electroniccontrollers in the present disclosure.

According to a conventional technology, the zone ECUs 20 connected tothe communication lines 4 send out data to be transmitted to thecommunication lines 4 by one frame or as a column of a plurality offrames according to the CAN communication standard. According to the CANcommunication standard, each frame to be sent out includes anidentification code (ID), and each zone ECU 20 which receives the framedetermines whether or not the frame is the frame transmitted to itselfbased on the ID included in the frame.

In the present embodiment, in particular, the control system 1 includesa communication monitoring device 40 connected to the communicationlines 4 a, 4 b and 4 c. The communication monitoring device 40 monitorsthe communication via the communication lines 4 performed among theplurality of zone ECUs 20.

Configuration of Communication Monitoring Device

FIG. 2 is a diagram illustrating a functional configuration of thecommunication monitoring device 40.

The communication monitoring device 40 includes a processor 41, a memory42 and a communication device 43. The memory 42 is configured by avolatile and/or nonvolatile semiconductor memory and/or a hard diskdevice or the like, for example. The communication device 43 includesthree CAN transceivers (not illustrated) connected to each of thecommunication lines 4 a, 4 b and 4 c which are the CAN communicationbuses, for example.

The processor 41 is a computer provided in the communication monitoringdevice 40, and is configured by one or more CPUs (Central ProcessingUnits) for example.

The processor 41 includes a reception unit 45, an object determinationunit 46, an extraction unit 47 and a verification unit 48 as functionalelements or functional units. The functional elements provided in theprocessor 41 are realized by the processor 41 which is a computerexecuting a communication monitoring program 44 which is a computerprogram stored in the memory 42, for example. Alternatively, all or someof the functional elements provided in the processor 41 may beconfigured by hardware including one or more electronic circuit partsrespectively.

The reception unit 45 receives the frames propagated through each of thecommunication lines 4 a, 4 b and 4 c by the communication device 43 in amonitoring period set by the verification unit 48. Start of themonitoring period may be instructed to the reception unit 45 by theverification unit 48, or may be determined by the reception unit 45according to a time length and an execution interval of the monitoringperiod instructed by the verification unit 48.

Hereinafter, the reception unit 45, the object determination unit 46,the extraction unit 47 and the verification unit 48 independentlyexecute processing for the frames propagated through each of thecommunication lines 4 a, 4 b and 4 c respectively for the communicationlines 4 a, 4 b and 4 c.

The object determination unit 46 determines (or defines) some or all offields configuring the frame used for the communication as an objectsection. Specifically, the object determination unit 46 divides theframe into a plurality of field groups according to one division rule,and determines at least one of the field groups as the object section.The object determination unit 46 randomly determines at least one objectsection for each monitoring period for example.

The division rule may determine the number of the field groups to becreated and the number of fields configuring each field group, forexample. The number of the groups and the number of the fields may berandomly determined using a random number generation function, forexample. The object determination unit 46 divides the frame into theplurality of field groups by creating place holders of the field groupsaccording to the number of the groups and the number of the fieldsdetermined by the division rule and randomly applying a specific fieldto each of the created place holders.

The extraction unit 47 extracts a field part of the field groupindicated by the object section determined by the object determinationunit 46 as an attention section from a reception frame which is theframe received by the reception unit 45.

The verification unit 48 verifies validity of the reception frameincluding the attention section based on the attention section extractedby the extraction unit 47.

Specifically, the verification unit 48 sets the monitoring period of apredetermined time length. Then, the verification unit 48 extracts apredetermined number of the reception frames from the frame received inthe monitoring period for each monitoring period, and verifies thevalidity of the reception frames based on the predetermined number ofthe reception frames (that is, based on an attention section extractedfrom the predetermined number of the reception frames).

FIG. 3 is a diagram for explaining validity verification in atransmitted frame column. In FIG. 3 , a horizontal axis is time, andeach vertically long rectangle is the frame transmitted through thecommunication line 4 a at each time. In an example in FIG. 3 , asuspension period during which the reception unit 45 does not receivethe frame is held between the monitoring periods. In the monitoringperiod, eight reception frames are present, and six reception framesamong them are extracted as the reception frames used for the validityverification. In FIG. 3 , the reception frames used for the validityverification are illustrated by rectangles of a thick line.

In FIG. 3 , the first six frames received in the monitoring period arethe reception frames used for the validity verification, however, it isan example and the reception frames used for the validity verificationmay be arbitrarily selected from the frames received in the monitoringperiod. In FIG. 3 , a black-painted part in the thick-line rectangleillustrating the reception frame used for the validity verification isthe attention section extracted corresponding to the object section. Theobject section (therefore, the attention section) does not need to beconfigured by continuous fields in the frame and may be configured by aplurality of fields present at distant positions in the frame. In theexample in FIG. 3 , the attention section is configured by the fieldgroup including the fields present at the two distant positions in thereception frame in the monitoring period illustrated on a left side inthe figure, and is configured by the field group including the fieldspresent at the continuous positions in the monitoring period illustratedon a right side in the figure. In addition, since the object section isdetermined for each monitoring period, the attention section alsooccupies different positions in the reception frame for each monitoringperiod.

The object section determined as the one indicating the position of theattention section used for the validity verification is selected fromthe plurality of field groups dividing the frame in the objectdetermination unit 46. Thus, a reference of the validity verificationfor the attention section extracted from the position indicated by theobject section in the reception frame can be easily determined accordingto a content definition of the fields included in the field group forexample.

As an example, the validity of the reception frame may be verified basedon the reference whether or not content abnormality is recognized and/orwhether or not there is consistency in the attention sections extractedby the extraction unit 47 from each of the predetermined number of thereception frames.

Here, the “content abnormality” and the “consistency” described abovecan be predefined corresponding to types of the fields included in theattention section.

For example, in a case where ID fields are included in the attentionsection, the “content abnormality” may be that an ID included in the IDfields includes one, two or more predetermined codes other than IDcodes. Alternatively, the “content abnormality” may be, for example, inthe case where data fields are included in the attention section, thatan abnormal value exceeding a predetermined value range is included indata indicated by the data fields. Further, alternatively, the “contentabnormality” may be abnormality of a CRC value in a CRC field, forexample.

In addition, in the case where the data fields are included in theattention section, the “consistency” may be that there is no abnormalchange (for example, change exceeding a predetermined threshold) of anumerical value included in the data field among the predeterminednumber of the attention sections, for example.

The communication monitoring device 40 having the configurationdescribed above divides the frame into a plurality of field groups,determines the object section from the plurality of field groupsrandomly for each monitoring period for example, and extracts theattention section corresponding to the object section for each receptionframe. Then, in the communication monitoring device 40, the validity ofthe reception frame is verified based on the extracted attentionsection.

In the communication monitoring device 40, the validity of the receptionframe is verified based on the attention section which is a part of thereception frame so that processing loads for the validity verificationare reduced compared to a conventional technology of examining controlinformation and state information of the frames communicated for aspecific controlled object.

In addition, in the communication monitoring device 40, the objectsection which stipulates the attention section can be arbitrarilyselected from the frame by a random selection from the plurality offield groups for example so that all the frames can be finally verifiedby repetition of verification processing. Thus, in the communicationmonitoring device 40, the attention section used for the verification isprevented from being fixed to a specific part of the frame and a highdetection probability of improper communication (improper frame) can bemaintained.

Next, some modifications of the communication monitoring device 40 willbe described.

First Modification

As the first modification, the extraction unit 47 counts a usage countfor which each of the field groups divided by the object determinationunit 46 is used for extraction of the attention section, and notifiesthe object determination unit 46 of a count value.

Then, when a difference between a maximum value and a minimum value ofthe usage counts among the plurality of field groups is a firstpredetermined value (for example, 3) or larger, the object determinationunit 46 determines at least one new object section from the plurality ofdivided field groups excluding the field group the usage count of whichis the maximum value. The new object section may be randomly determined,for example.

According to the configuration, since the object section is selectedfrom the field groups other than the field group which is used manytimes, the high detection probability of the improper frame can befurther accurately maintained.

Alternatively, the object determination unit 46 may determine a newobject section from all the divided field groups, when the differencebetween the maximum value and the minimum value of the usage countsamong the field groups is smaller than a second predetermined value (forexample, 3). The new object section may be randomly determined forexample.

According to the configuration, since a new object section is selectedfrom all the field groups when the difference of the usage counts amongthe object section field groups becomes small, the high detectionprobability of the improper frame can be further accurately maintained.

In addition, alternatively, the object determination unit 46 may changethe division rule and newly divide the frame into a plurality of fieldgroups according to the changed division rule, when the differencebetween the maximum value and the minimum value of the usage countsamong the field groups is smaller than a third predetermined value (forexample, 3). The object determination unit 46 determines one of theplurality of newly divided field groups as the object section for eachmonitoring period for example. In this case, when the objectdetermination unit 46 newly divides the frame into a plurality of fieldgroups according to the changed division rule, the extraction unit 47initializes the usage counts of all the newly divided field groups to 0.Note that the new object section may be randomly determined, forexample.

According to the configuration, since the division rule of the fieldgroups is changed, arbitrariness of the object section used for theverification is improved. In addition, since the division rule of thefield groups is changed when the difference of the usage counts amongthe field groups becomes small, decline of the detection probability ofthe improper frame due to the change of the division rule in a statewhere the individual parts of the frame are not equally verified isprevented. In addition, since the count values of the usage counts arereset accompanying the change of the division rule, the usage counts forthe sections divided according to the new division rule can beappropriately counted.

Second Modification

The object determination unit 46 may determine a different field or aset of fields as the object section for each of a plurality of sets ofthe reception frames for each monitoring period. Also in this case, theobject section may be determined from the above-described field groupsfor which the frame is divided according to a predetermined divisionrule.

According to the configuration, since the arbitrariness of the objectsection used for the verification for each monitoring period isimproved, the detection probability of the improper frame can beincreased.

FIG. 4 is a diagram for explaining the verification of the framevalidity in the second modification. Similarly to FIG. 3 , in FIG. 4 ,the horizontal axis is time, and each vertically long rectangle is theframe transmitted through the communication line 4 a at each time.

In FIG. 4 , the black-painted part in the thick-line rectangleillustrating the reception frame used for the validity verification isthe attention section extracted corresponding to the object section. Inthe example in FIG. 4 , a different object section is determined foreach of three reception frame sets respectively configured by tworeception frames in the monitoring period on the left side in thefigure. In addition, in the monitoring period on the right side in thefigure, a different object section is determined for each of tworeception frame sets respectively configured by three reception frames.

Note that each set of the reception frames in each monitoring period maynot be always configured by continuous frames as illustrated in themonitoring period on the right side in FIG. 4 .

Third Modification

When the verification unit 48 determines that at least one of attentionsections extracted by the extraction unit 47 from each of the receptionframes is not proper, the object determination unit 46 may increase thenumber of the field groups to be determined as the object section fromthe plurality of divided field groups.

According to the configuration, the detection probability of theimproper frame can be adjusted by changing the number of the fieldgroups used for the verification corresponding to a situation ofimpropriety detection.

Fourth Modification

When the verification unit 48 determines that at least one of theattention sections extracted by the extraction unit 47 from each of thereception frames is not proper, the object determination unit 46 maydetermine all of the plurality of divided field groups as the objectsection.

According to the configuration, since the validity of the receptionframe is verified using all the field groups corresponding to thesituation of the impropriety detection, the detection probability of theimproper frame can be adjusted to be higher.

Fifth Modification

The verification unit 48 may increase or extend the time length of themonitoring period when one of the reception frames is determined as notbeing proper.

According to the configuration, the detection probability of theimproper frame can be adjusted by extending the monitoring period (thatis, a reception period of the frames used for the validity verification)corresponding to the situation of the impropriety detection.

Sixth Modification

The verification unit 48 may increase the predetermined number of thereception frames to be extracted for each monitoring period when one ofthe extracted reception frames is determined as not being proper.

According to the configuration, the detection probability of theimproper frame can be adjusted by increasing the number of the receptionframes for each monitoring period used for the verificationcorresponding to the situation of the impropriety detection.

Seventh Modification

The verification unit 48 may repeatedly set the monitoring periods witha suspension period in-between, and irregularly change the time lengthof the suspension period within a predetermined range on a regular basisor randomly for example.

According to the configuration, since the monitoring period is set so asto start from an irregular time along a flow of time, it is madedifficult for a malicious person to specify the monitoring period and anattack via the in-vehicle network can be effectively detected.

Operation of Communication Monitoring Device 40

Next, a procedure of the operation of the communication monitoringdevice 40 will be described. FIG. 5 is a flowchart illustrating anexample of the procedure of the operation of the communicationmonitoring device 40. Processing in FIG. 5 is repeatedly executed at apredetermined time interval for example.

When the processing is started, first, the object determination unit 46divides the frame used for the communication into a plurality of fieldgroups according to one division rule (S100). Then, the verificationunit 48 sets the monitoring period of the predetermined time length(S102). Subsequently, the object determination unit 46 determineswhether or not the monitoring period has started (S104). Then, when themonitoring period has not started (S104, NO), the object determinationunit 46 returns to step S104 to repeat the processing and waits for themonitoring period to start.

On the other hand, when the monitoring period starts (S104, YES), theobject determination unit 46 determines at least one of the dividedfield groups as the object section (S106). In addition, the receptionunit 45 receives the predetermined number of the frames from thecommunication lines 4 in the monitoring period (S108), and theextraction unit 47 extracts the determined object section from each ofthe predetermined number of the received frames as the attention section(S110).

Next, the verification unit 48 verifies, based on the extractedattention sections, the validity of the reception frames including theattention sections (S112), and transmits and outputs a result of theverification to the central ECU 2 for example (S114).

Subsequently, the processor 41 determines whether or not a power sourceof the communication monitoring device 40 is turned off (S116), and endsthe present processing when the power source is turned off (S116, YES).On the other hand, when the power source of the communication monitoringdevice 40 is not turned off (S116, NO), the processor 41 returns to stepS104 to repeat the processing.

Other Embodiments

Note that the present invention is not limited to the configuration ofthe embodiment described above, and can be implemented in various modeswithout deviating from the gist.

For example, the communication monitoring device 40 monitors thecommunication in the three communication lines 4 in the embodimentdescribed above, but may similarly monitor the communication in morethan three communication lines.

In addition, the communication monitoring device 40 is described as asingle device in the embodiment described above, but may be realized asa part of another in-vehicle ECU. For example, by integrating theprocessor 41 and the memory 42 with a processor and a memory (both notillustrated) provided in the central ECU 2, the communication monitoringdevice 40 may be realized as a part of the central ECU 2.

Further, the control system 1 includes one communication monitoringdevice 40 in the embodiment described above, but may include anarbitrary number, which is two or larger, of the communicationmonitoring devices 40. For example, the control system 1 may include twocommunication monitoring devices 40, one may monitor the communicationof a part of the communication lines 4 and the other one may monitor thecommunication of the other part of the communication lines 4.

In addition, the communication monitoring device 40 monitors thevalidity for the frames based on the CAN communication standard in theembodiment described above. However, the communication monitoring device40 is similarly applicable regarding the other kinds of communicationthat perform the communication using frames, without being limited tothe CAN.

Configurations Supported By Embodiments Described Above

The embodiments and modifications described above support theconfigurations below.

(Configuration 1) A communication monitoring device which monitorscommunication via an in-vehicle network performed among a plurality ofelectronic controllers, the communication being configured by a columnof one or more frames, the communication monitoring device including: anobject determination unit configured to determine some or all of fieldsconfiguring the frame as an object section; a reception unit configuredto receive the frame propagated through the in-vehicle network; anextraction unit configured to extract the object section as an attentionsection from a reception frame which is the frame received by thereception unit; and a verification unit configured to verify validity ofthe reception frame based on the extracted attention section.

According to the communication monitoring device of configuration 1, thevalidity of the reception frame is verified based on the attentionsection which is a part of the reception frame so that processing loadsfor the validity verification are reduced compared to a conventionaltechnology of examining control information and state information of theframes communicated for a specific controlled object. In addition, inthe communication monitoring device of configuration 1, the objectsection which stipulates the attention section can be arbitrarilyselected from the frame so that all the frames are finally verified byrepetition of verification processing, and the high detectionprobability of the improper frame can be maintained.

(Configuration 2) The communication monitoring device according toconfiguration 1, wherein the object determination unit divides the frameused for the communication into a plurality of field groups according toone division rule, and determines at least one of the field groups asthe object section.

According to the communication monitoring device of configuration 2,since the object section is selected from the field groups, a referencefor the validity verification in the object section can be easilydetermined according to the content definition of the fields included inthe field group for example.

(Configuration 3) The communication monitoring device according toconfiguration 2, wherein the extraction unit counts a usage count forwhich each of the field groups is used for extraction of the attentionsection, and the object determination unit determines, when a differencebetween a maximum value and a minimum value of the usage counts amongthe field groups is a first predetermined value or larger, at least onenew object section from the plurality of divided field groups excludingthe field group the usage count of which is the maximum value.

According to the communication monitoring device of configuration 3,since the object section is selected from the field groups other thanthe field group which is used many times, the high detection probabilityof the improper frame can be further accurately maintained.

(Configuration 4) The communication monitoring device according toconfiguration 3, wherein the object determination unit determines a newobject section from all the divided field groups, when the differencebetween the maximum value and the minimum value of the usage countsamong the field groups is smaller than a second predetermined value.

According to the communication monitoring device of configuration 4,since a new object section is selected from all the field groups whenthe difference of the usage counts among the field groups becomes small,the high detection probability of the improper frame can be furtheraccurately maintained.

(Configuration 5) The communication monitoring device according to anyone of configurations 2-4, wherein the extraction unit counts a usagecount for which each of the field groups is used for extraction of theattention section, and the object determination unit changes thedivision rule, newly divides the frame into a plurality of field groupsaccording to the changed division rule, and determines at least one ofthe plurality of newly divided field groups as the object section, whenthe difference between the maximum value and the minimum value of theusage counts among the field groups is smaller than a thirdpredetermined value.

According to the communication monitoring device of configuration 5,since the division rule of the field groups is changed, thearbitrariness of the object section used for the verification isimproved. In addition, since the division rule of the field groups ischanged when the difference of the usage counts among the field groupsbecomes small, the decline of the detection probability of the improperframe due to the change of the division rule in the state where theindividual parts of the frame are not equally verified is prevented.

(Configuration 6) The communication monitoring device according toconfiguration 5, wherein the extraction unit initializes, when theobject determination unit newly divides the frame into a plurality offield groups according to the changed division rule, the usage counts ofall the newly divided field groups to 0.

According to the communication monitoring device of configuration 6,since the count values of the usage counts are reset accompanying thechange of the division rule, the usage counts for the sections dividedaccording to the new division rule can be appropriately counted.

(Configuration 7) The communication monitoring device according to anyone of configurations 2-6, wherein the object determination unitincreases the number of the field groups to be determined as the objectsection from the plurality of divided field groups, when theverification unit determines that at least one of the attention sectionsextracted by the extraction unit from each of the reception frames isnot proper.

According to the communication monitoring device of configuration 7, thedetection probability of the improper frame can be adjusted by changingthe number of the field groups used for the verification correspondingto the situation of the impropriety detection.

(Configuration 8) The communication monitoring device according to anyone of configurations 2-6, wherein the object determination unitdetermines all of the plurality of divided field groups as the objectsection, when the verification unit determines that at least one of theattention sections extracted by the extraction unit from each of thereception frames is not proper.

According to the communication monitoring device of configuration 8,since the validity of the reception frame is verified using all thefield groups corresponding to the situation of the improprietydetection, the detection probability of the improper frame can beadjusted to be higher.

(Configuration 9) The communication monitoring device according to anyone of configurations 2-8, wherein the verification unit sets amonitoring period of a predetermined time length, and the reception unitreceives the frame propagated through the in-vehicle network in themonitoring period.

According to the communication monitoring device of configuration 9,since the communicated frame is monitored only in the monitoring periodof the predetermined time length, the processing loads for the validityverification of the frame are reduced.

(Configuration 10) The communication monitoring device according toconfiguration 9, wherein the object determination unit randomlydetermines at least one of the field groups as the object section everytime the monitoring period starts.

According to the communication monitoring device of configuration 10,since the object section is randomly determined for each monitoringperiod, the high detection probability of the improper frame can be moreaccurately maintained.

(Configuration 11) The communication monitoring device according toconfiguration 9 or 10, wherein the verification unit verifies thevalidity for a predetermined number of the reception frames in eachmonitoring period, and increases the time length of the monitoringperiod when one of the reception frames is determined as not beingproper.

According to the communication monitoring device of configuration 11,the detection probability of the improper frame can be adjusted byextending the monitoring period which is a reception period of theframes used for the validity verification corresponding to the situationof the impropriety detection.

(Configuration 12) The communication monitoring device according toconfiguration 11, wherein the verification unit increases thepredetermined number when one of the extracted reception frames isdetermined as not being proper.

According to the communication monitoring device of configuration 12,the detection probability of the improper frame can be adjusted byincreasing the number of the reception frames for each monitoring periodused for the verification corresponding to the situation of theimpropriety detection.

(Configuration 13) The communication monitoring device according to anyone of configurations 9-12, wherein the verification unit repeatedlysets the monitoring periods with a suspension period in-between, andirregularly changes the time length of the suspension period within apredetermined range.

According to the communication monitoring device of configuration 13,since the monitoring period is set so as to start from an irregular timealong the flow of time, it is made difficult for a malicious person tospecify the monitoring period and an attack via the in-vehicle networkcan be effectively detected.

(Configuration 14) The communication monitoring device according to anyone of configurations 9-13, wherein the object determination unitdetermines a different field or a set of fields as the object sectionfor each of a plurality of sets of the reception frames for eachmonitoring period.

According to the communication monitoring device of configuration 14,the arbitrariness of the object section used for the verification foreach monitoring period is improved, and the detection probability of theimproper frame can be increased.

(Configuration 15) A communication monitoring method conducted by acomputer of a communication monitoring device which monitorscommunication via an in-vehicle network performed among a plurality ofelectronic controllers, the communication being configured by a columnof one or more frames, the communication monitoring method comprising: astep of determining some or all of fields configuring the frame as anobject section; a step of repeatedly receiving the frame propagatedthrough the in-vehicle network; a step of extracting the object sectionas an attention section from a reception frame which is the framereceived in the receiving step; and a step of verifying validity of thereception frame based on the extracted attention section.

According to the communication monitoring method of configuration 15,the validity of the reception frame is verified based on the attentionsection which is a part of the reception frame so that processing loadsfor the validity verification are reduced compared to a conventionaltechnology of examining control information and state information of theframes communicated for a specific controlled object. In addition, inthe communication monitoring method of configuration 15, the objectsection which stipulates the attention section can be arbitrarilyselected from the frame so that all the frames are finally verified byrepetition of verification processing, and the detection probability ofthe improper frame can be maintained high.

REFERENCE SIGNS LIST

1 . . . control system, 2 . . . central ECU, 4 a, 4 b, 4 c . . .communication line, 20 . . . zone ECU, 20 a . . . first zone ECU, 20 b .. . second zone ECU, 20 c . . . third zone ECU, 30, 30 a, 30 b, 30 c, 30d, 30 e, 30 f, 30 g, 30 h, 30 i . . . ECU, 40 . . . communicationmonitoring device, 41 . . . processor, 42 . . . memory, 43 . . .communication device, 44 . . . communication monitoring program, 45 . .. reception unit, 46 . . . object determination unit, 47 . . .extraction unit, 48 . . . verification unit.

What is claimed is:
 1. A communication monitoring device which monitorscommunication via an in-vehicle network performed among a plurality ofelectronic controllers, the communication being configured by a columnof one or more frames, the communication monitoring device comprising:an object determination unit configured to determine some or all offields configuring the frame as an object section; a reception unitconfigured to receive the frame propagated through the in-vehiclenetwork; an extraction unit configured to extract the object section asan attention section from a reception frame which is the frame receivedby the reception unit; and a verification unit configured to verifyvalidity of the reception frame based on the extracted attentionsection.
 2. The communication monitoring device according to claim 1,wherein the object determination unit divides the frame used for thecommunication into a plurality of field groups according to one divisionrule, and determines at least one of the field groups as the objectsection.
 3. The communication monitoring device according to claim 2,wherein the extraction unit counts a usage count for which each of thefield groups is used for extraction of the attention section, and theobject determination unit determines, when a difference between amaximum value and a minimum value of the usage counts among the fieldgroups is a first predetermined value or larger, at least one new objectsection from the plurality of divided field groups excluding the fieldgroup the usage count of which is the maximum value.
 4. Thecommunication monitoring device according to claim 3, wherein the objectdetermination unit determines a new object section from all the dividedfield groups, when the difference between the maximum value and theminimum value of the usage counts among the field groups is smaller thana second predetermined value.
 5. The communication monitoring deviceaccording to claim 2, wherein the extraction unit counts a usage countfor which each of the field groups is used for extraction of theattention section, and the object determination unit changes thedivision rule, newly divides the frame into a plurality of field groupsaccording to the changed division rule, and determines at least one ofthe plurality of newly divided field groups as the object section, whena difference between a maximum value and a minimum value of the usagecounts among the field groups is smaller than a third predeterminedvalue.
 6. The communication monitoring device according to claim 5,wherein the extraction unit initializes, when the object determinationunit newly divides the frame into a plurality of field groups accordingto the changed division rule, the usage counts of all the newly dividedfield groups to
 0. 7. The communication monitoring device according toclaim 2, wherein the object determination unit increases the number ofthe field groups to be determined as the object section from theplurality of divided field groups, when the verification unit determinesthat at least one of the attention sections extracted by the extractionunit from each of the reception frames is not proper.
 8. Thecommunication monitoring device according to claim 2, wherein the objectdetermination unit determines all of the plurality of divided fieldgroups as the object section, when the verification unit determines thatat least one of the attention sections extracted by the extraction unitfrom each of the reception frames is not proper.
 9. The communicationmonitoring device according to claim 2, wherein the verification unitsets a monitoring period of a predetermined time length, and thereception unit receives the frame propagated through the in-vehiclenetwork in the monitoring period.
 10. The communication monitoringdevice according to claim 9, wherein the object determination unitrandomly determines at least one of the field groups as the objectsection every time the monitoring period starts.
 11. The communicationmonitoring device according to claim 9, wherein the verification unitverifies the validity for a predetermined number of the reception framesin each monitoring period, and increases the time length of themonitoring period when one of the reception frames is determined as notbeing proper.
 12. The communication monitoring device according to claim11, wherein the verification unit increases the predetermined numberwhen one of the extracted reception frames is determined as not beingproper.
 13. The communication monitoring device according to claim 9,wherein the verification unit repeatedly sets the monitoring periodswith a suspension period in-between, and irregularly changes the timelength of the suspension period within a predetermined range.
 14. Thecommunication monitoring device according to claim 9, wherein the objectdetermination unit determines a different field or a set of fields asthe object section for each of a plurality of sets of the receptionframes for each monitoring period.
 15. A communication monitoring methodconducted by a computer of a communication monitoring device whichmonitors communication via an in-vehicle network performed among aplurality of electronic controllers, the communication being configuredby a column of one or more frames, the communication monitoring methodcomprising: a step of determining some or all of fields configuring theframe as an object section; a step of repeatedly receiving the framepropagated through the in-vehicle network; a step of extracting theobject section as an attention section from a reception frame which isthe frame received in the receiving step; and a step of verifyingvalidity of the reception frame based on the extracted attentionsection.